Spotlight on Engineering Excellence 

Guidance, Navigation & Control (GN&C) 
Best Practices for Human-Rated 
Spacecraft Systems 

Neil Dennehy Dr. Ken Lebsock John West 

NESC Orbital Sciences Draper Laboratory 




Program Management Challenge 2008 
Daytona Beach, FL 

26-27 February 2008 

1 


Mission Success Starts With Safety • Safety Starts With Engineering Excellence 



Presentation Outline 

• Introduction and Acknowledgements 

• Motivation 

- Common GN&C Pitfalls 

• Some Key GN&C System Considerations for Human-Rated Spacecraft 

• NESC’s 22 GN&C Best Practices 

• Discussion of Best Practices vs. Real-World Mishaps 

- Progress M-34, LEWIS, X-31A, Ariane-5 

• Observations & Summary 




Mission Success Starts With Safety • Safety Starts With Engineering Excellence 


2 


&3IU3- 










• In 2007 the NESC completed an in-depth assessment to identify, define and 
document engineering considerations for the Design Development Test and 
Evaluation (DDT&E) of human-rated spacecraft systems 

- Requested by the Astronaut Office at JSC to help them to better understand what is 
required to ensure safe, robust, and reliable human-rated spacecraft systems 

• The 22 GN&C engineering Best Practices described in this paper are a condensed 
version of what appears in the NESC Technical Report 


• These Best Practices cover a broad range from fundamental system architectural 
considerations to more specific aspects (e.g., stability margin recommendations) 
of GN&C system design and development 

• 15 of the Best Practices address the early phases of a GN&C System development 
project and the remaining 7 deal with the later phases. 

- Some of these Best Practices will cross-over between both phases. 

• Recognize that this set of GN&C Best Practices will not be universally applicable 
to all projects and mission applications 
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GN&C Related Worldwide Launch Vehicle Failures 



Over the ten year period of 1996 to 2006, 

21 out of the 773 launch attempts worldwide, 
experienced a known GN&C anomaly 

- 1 5 resulted in a catastrophic launch failure 

Approximately one-third (15) of all 52 
catastrophic launch failures worldwide over 
this ten year period were GN&C-related 

Design flaws identified as largest (40%) 

single cause of GN&C-related catastrophic 
launch failures (6 out of 15) 

Avionics and Flight I ~ - 

Software were equally / Jy * 

large (20%) failure 9 » [Jr 

causes at the jr j 

component level 



" ' Successful Launches 
□ Failed Launches, Non-GN&C 
■ Failed Launches. GN&C 
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• Over the ten year period of 1 996 to 2006, 38% (30 out of 79) of 
all NASA spacecraft experienced a known GN&C anomaly 


• 8% of all NASA experienced a catastrophic satellite failure over 
this same time period 


* 50% of catastrophic GN&C anomalies occurred within 10% of 
the satellite’s design life 


• Largest contributing causes of 
catastrophic GN&C anomalies were: 

- Design (33%) 

- Software (33%) 

• Operational (17%) 
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• The primary motivation of this presentation is to provide useful guidance, in 
the form of these Best Practices, to the synthesis and operation of GN&C 
systems for NASA's future human-rated spacecraft. 

• The GN&C Best Practice information contained in NESC Technical Report is 
also intended to provide: 

- Insights for non-GN&C engineers and managers 

- T utorial-type guidance for fresh-out GN&C engineers 

- A useful memory aid for more experienced GN&C engineers especially as a 
checklist for technical evaluation and review of a GN&C system. 

• A secondary motivation of this presentation is to invite feedback on this initial 
set of Best Practices from the NASA Program Management community 

- In particular, we solicit other specific GN&C Lessons Learned that NESC should 
capture based on either crewed and robotic flight system project experiences 







GN&C Interacts With and is Influenced by Virtually All 

Other Spacecraft Subsystems 



'...we cannot do just one thing. Whether we like it 
or not, whatever we do has multiple effects. " 

Dietrich Domer, author of the Logic of Failure, 
commenting on the topic of complex systems / 


‘In space systems, most dynamic problems 
do not occur in one isolated discipline, 
but are an interaction between several 
disciplines or subsystems” 

Bob Ryan, author of “Problems Experienced and 
Envisioned for Dynamical Physical Systems 1 ”, 
commenting on his Apollo, Skylab, and Space 
Shuttle career experiences at NASA 


Propulsion 


Aero- 

dynamics 



m 


Ground 

Control 


£ MtS : 






Payload 


NASA Document TP-2508, August 1985 


Consider: How do faults in other subsystems affect GN&C? 
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s Poor or Missing GN&C Requirements 
s Failure to Stop Requirements Creep 

s Poor Characterization of Mission Operational Regimes & Environments 
s Unknown or Poorly Defined Interactions 
s Unknown or Poorly Defined Interfaces 
s Poorly Defined Coordinate Frames and System of Units 
S Unknown and/or Incorrectly Modeled Dynamics 
S Feedback Control System Instabilities due to Large Model Uncertainties 
s Reliance on Any “Heritage”: in the Hardware, Software, Design Team, etc. 
s Reliance on low Technology Readiness Level (TRL) GN&C technologies 
s Sensor/Actuator Component Degradation & Failure 

S Insufficient On-Board Processing Capability for GN&C Flight Software (FSW) Algorithms 
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s Inadequate Systems Engineering for Coordinated GN&C of Multiple Interacting Vehicles 
(e.g., during Rendezvous and Docking) 

S Poor GN&C Fault Management Strategy 

s Lack of Comprehensive Abort Strategy 

S Inadequate “Safe Haven” capabilities 

S Failure to “Design for Test” 

S Failure to “Test as You Fly and Fly as You Test" 

S Inadequate Hardware In The Loop (HITL) End-to-End Testing to Verify Proper Operations 
s Inadequate Sensor-to-Actuator Polarity Tests (Lack of End-to-End Testing) 

S Unresolved Test Anomalies & Discrepancies 

s No truly independent Verification and Validation (V & V) process for GN&C 

s Failure to Have Crew and Operations Team “Train as You Fly" 

s Inadequate Validation/Certification of GN&C Ground Data and Tools 

s Insufficient Telemetry for GN&C Performance Monitoring and Anomaly Resolution During 
Launch, Early Orbit Checkout & All Mission Critical Events 
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• An examination of the historical record reveals that several GN&C systems 
have been seriously victimized by one of more of the pitfalls listed above 
either during their design, development, test or operational phases. 

• It appears that many previously established Lessons Learned must be 
relearned by the community. 

• The continued repetition of the same GN&C mistakes represents an 
avoidable risk to crew safety and mission success. 

• If rigorously followed these GN&C Best Practices will help protect against 
the pitfalls cited above. 

• Bear in mind however that these GN&C Best Practices will not be 
universally applicable to all projects and mission applications. 

• These Best Practices alone are not a substitute for sound engineering 
judgment, experience, expertise, attention to day-to-day details, and 
intellectual curiosity. 
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Two Representative Examples Where Breakdowns in 
the Application of the GN&C Best Practices Occurred 


http://www.dfrc.nasa.gov/gallery/photo/inclex.html 
NASA Photo: EC01-0182-1 1 Date: June 2, 2001 Photo by: Jim Ross 
The X-43A/Pegasus combination dropped into the Pacific Ocean after losing control early in the first 
free-flight attempt. 


X-43A / Pegasus Launch June 2, 2001 Ariane 5 Flight 501 June 4, 1996 


Mission Success Starts With Safety • Safety Starts With Engineering Excellence 


14 









&3.1N 3'- 







Significant GN&C Related Anomalies on Crewed Spacecraft 


Gemini 8 March 1966 

Failed “On” thruster causes 
vehicle to tumble; crew uses re- 
entry thrusters to recover attitude 


Skylab Nov 1973 

Control Moment Gyro 
(CMG) failure 


STS-51F July 1985 

Abort to Orbit performed 
following a premature 
SSME shutdown during 
ascent due to false engine 
overheating indications 


Soyuz 18-1 April 1975 

First high altitude abort of a 
crewed spacecraft when 2 nd 
stage fails to separate from 3 rd 
stage of booster; crew survives 
20 g reentry 


Soyuz T-10A Sept 1983 

First pad abort of a crewed 
spacecraft after pad fire; crew 
survives 17 g Launch Escape 
System flight 


STS-9 Nov 1983 

GPC failures during 
deorbit, entry and landing 


ISS June 2007 

Loss of thruster based 
attitude control due to 
Russian computer outage 


ISS June 2002 

Control Moment Gyro 
(CMG) failure 


Apollo 12 Nov 1969 

Saturn- V booster struck 
by lighting; IMU in 
Command Module 
tumbles & crew looses 
attitude reference 


Progress M-7 March 1991 

Aborted Progress docking leads to 
miss encounter with Mir space 
station due to Kurs radar damage 


STS-91 June 1991 

Primary Avionics 
Software System (PASS) 
corrupted by GPS errors 


Apollo 13 July 1969 

Oxygen tank explosion forces 
crew into LM “Lifeboat” and 
necessitates manual IMU 
alignment transfer process 
between CM and LM platforms 


STS-1 April 1981 

Significant unpredicted 
Orbiter rocking motion on 
ET, when SSME’s slewed 
to stow position, causes 
cyclic pitch thruster firings 



Progress M-34 June 1997 

Collided with Mir 


STS-3 March 1982 

Orbiter flight control and robotic arm 
systems dynamically interact causes 
unexpectedly high vernier thruster 
duty cycles 


STS-1 April 1981 

Unmodeled vernier thruster 
plume impingement causes 
greatly increased duty cycles 
and propellant consumption 


Soyuz Ballistic Re-Entries 

Soyuz 33 April 1979 10 g’s 
Soyuz TMA-1 May 2003 8 g’s 
Soyuz TMA-10 Oct 2007 9 g’s 



Apollo 10 May 1969 

LM tumbles while in low lunar orbit; 
IMU gimbal lock narrowly avoided 
during attitude recovery by crew 


Apollo 11 July 1969 

LM guidance computer overloaded 
during powered descent 



STS-3 March 1982 

Handling Qualities/PIO 
problem: Unintended 
Orbiter pitch-up during 
landing rollout 
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Some Observations on 

Significant Human Space Flight Vehicle Failures 


• Several significant GN&C anomalies have occurred on-orbit 

• Anomalies can occur at any time: on the launch pad, during ascent, on- 
orbit, entry, decent and/or landing 

• In failure cases other than ascent and reentry the crew had time evaluate, 
troubleshoot, and respond to on-orbit failures (e.g., Apollo 13) 

• It can be inferred that spacecraft robustness precluded a number of 
significant failures from becoming catastrophic 

• One notable statistic: With the exception of the Apollo-1 cabin fire, the 
loss of human life has only occurred during ascent and reentry which are 
the two most dynamic phases of the mission 

• During high risk/highly dynamic mission phases it is important to include 
response time and automation into the redundancy and backup 
spacecraft reliability trades 

• The different aspects of all mission phases must be considered when 
selecting spacecraft architectures and when deciding where to buy down 
risks 







Some Key GN&C System Considerations 
for Human-Rated Spacecraft 
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NESC’s 22 GN&C Best Practices 
15 for “Early Work” 

7 for “Late Work” 
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1 Early and iterative GN&C subsystem architectural development 

2 Define all GN&C interdisciplinary interactions and relationships 

3 Ensure implementation of comprehensive Abort/Safe Haven 
strategies/functions 

4 Adequacy of host computer and proper selection of execution frequencies 

5 Independent hardware and software for GN&C fault management 

6 Establish & flowdown GN&C requirements for multi-vehicle system 

7 Evaluate redundancy with identical GN&C hardware components 

8 Evaluate heritage hardware and software in the GN&C architecture 

9 Make certain that new GN&C technology is well qualified 

10 “Design for Test” when evaluating candidate GN&C architectures 

11 Define and document the coordinate frames and the system of units 

12 Controller designs shall have robust stability margins 

13 Understand & completely analyze the dynamics in ALL flight phases 

14 All test anomalies must be understood and may need to be included in the 
truth model 

15 Verification Truth Model must be developed independently 
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16 Establish a strong relationship with, and maintain close surveillance of GN&C 
lower-tier component-level suppliers 

17 Adhere to the “Test As You Fly” philosophy 

18 Conduct true end-to-end sensors-to-actuators polarity tests in all flight 
configurations 

19 Plan and conduct sufficient GN&C hardware-in-the-loop testing to verify proper 
interactions 

20 Carefully manage GN&C ground databases, uploads, ground application tools, 
and command scripts / files 

21 Ensure sufficiency of GN&C engineering telemetry data 

22 “Train as They Fly”: Develop a dedicated real-time GN&C simulator for the 
crew/operators 

Reference: 

Each of the 22 NESC GN&C Best Practice listed above is described 
in detail in the A1AA technical paper A1AA-2007-6336, entitled 
“GN&C Engineering Best Practices for Hunan-Rated Spacecraft Systems ”, 
dated August 2007, by Dennehy/Lebsock/West 
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Top-Level Summary of the M-34 Mishap 


• Progress-M spacecraft is an unmanned cargo and 
resupply vehicle used to send equipment to Mir. 

• On 6/25/97 a 2nd test was performed of the manual 
Toru proximity docking system as a lower cost 
substitute for the autonomous Kurs rendezvous 
and docking system. 

• Operator on Mir had difficulty determining range 
and range rate with the Kurs radar switched off. 

• Progress went off course and collided with a solar 
array and radiator on the Spektr module and then 
the module itself. 

• Spektr hull was breached causing significant air 
loss before Spektr module could be sealed off. 

• Evacuation of the station was narrowly avoided. 

• There were three immediate causes of the crash: 

- The higher than planned initial closing rate 

- Late realization that closing rate was too high 

- Incorrect final avoidance maneuvering 




i 


Mission Success Starts With Safety • Safety Starts With Engineering Excellence 





Root Causes of the M-34 Mishap vs. 
NESC GN&C Best Practices 


1 . Range was to be determined by observing the size of a video image of Mir 
taken by a camera on Progress. The sole source of range rate information was 
the changing angular size and position of the image. 

BP #9: The rate measurement scheme was nor qualified. 

BP #5: No independent way was provided to determine a fault in the rate 
measurement 

2. The operator continued to maneuver and aim for the docking port after 
noticing that the closing rate was higher than expected. 

BP #14: Failure to explain test anomalies. 

3. Post crash simulations show that the rendezvous trajectory was passively 
safe so that if the operator had stopped maneuvering in time the collision 
might have been avoided. 

BP #6: Pre-test Systems Engineering did not flow down appropriate 
requirements to insure the safe interaction between the vehicles . 

4. The operator could not realistically train and rehearse the rendezvous in 
advance because there were no simulation training facilities onboard Mir. 

BP #22: There was no provision to " Train as They Fly”. 








LEWIS was launched on August 23, 1997 into low Earth Orbit. 


1. At launch, LEWIS was under control of the A-side 
processor. At first contact it had already switched 
to the B-side and was unable to playback SSR 
data. 

2. After 45 hours of nadir pointing on B-side, the 
Ground crew switched control back to the A-side. 
The attitude was uncontrolled so the A-side Sun 
pointing mode was entered. 

3. After verifying that the spacecraft had been stable 
in the Sun mode for four hours of operation, the 
Ground crew entered a nine-hour rest period and 
ceased operations for the day. 

4. During that unattended period, the spacecraft 
entered a flat spin that resulted in a loss of solar 
power and a fatal battery discharge. Contact with 
the spacecraft was lost on August 26. 

5. The spacecraft re-entered the atmosphere and was 
destroyed on 28 September 1997. 







1. Safe mode was adapted from the TOMS spacecraft which had its X-axis normal to 
the solar array. X was the major axis of inertia on TOMS but it was the intermediate 
axis of inertia on Lewis. 

BP #8: Over-reliance/Over-Confidence on TOMS heritage. 

BP #1 : GN&C Safe mode architectural was not iterated. 

2. X-axis spin rate was not sensed and could not be controlled. 

BP #3: Ensure implementation of comprehensive Abort/Safe Haven 

strategies/functions. 

3. The Ground crew failed to adequately monitor spacecraft health and safety during 
the critical initial mission phase. 

BP #21 : Ensure sufficiency of GN&C engineering telemetry data. 

4. X-axis rate produced disturbance torques in other axes resulting in excessive 
thruster firings which led to autonomous shutdown of thrusters. 

BP #13: Understand & completely analyze the dynamics in ALL flight phases. 

5. In the absence of control, the spacecraft dynamics transferred spin from the X to the 
Z axis with the solar array edge on to the Sun. 

BP #15: Independent Truth Model should have identified un-modeled effects. 
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Top-Level Summary of the X-31A Mishap 



The X-31 program demonstrated the value 
of Thrust Vector Control (TVC) coupled with 
advanced flight control systems, to provide 
controlled flight during close-in air combat 
at very high angles of attack. 

• The final flight of the X-31 A was through 
atmospheric conditions conducive to icing. 

• The flight went as planned until an ice buildup 
blocked the pitot tube. 

• The Flight Computer used invalid air speed 
data to generate attitude control commands. 

• Inappropriate commands resulted in 
uncontrollable/divergent pitch oscillations. 



• The pilot ejected at 18,000 ft. and parachuted to the ground. 

• A NASA mishap-investigation board concluded that an accumulation of ice in or 
on the unheated pitot-static system was the proximate cause of the crash. 

• Underlying Issues included: 

-Incomplete/improper interpretation of hazards analysis 
-Breakdown in configuration management and change documentation 


-Failure to impose proper ops controls and take preventative action 
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Root Causes of the X-31 A Mishap vs. 

NESC GN&C Best Practices 

1. The decision to install a new airspeed probe without a heater assumed that no 
flights would be made through conditions conducive to icing. The test pilot was 
unaware that the pitot heater switch was not working. 

BP #10: Failure to design for test. 

BP #20: Failure to coordinate information on potential hazard due to change 
in configuration. 

2. Spurious air speed readings were noticed as ice built up and pilot switched ON the 
inoperative heater. Control room debated and finally replied that heater “...may not 
be hooked up” 9 seconds before warning tone and master caution light came on. 

BP #14: Failure to explain test anomalies. 

3. When the Flight control computers received erroneous airspeed inputs, flight 
control gains changed so drastically that the pilot could not maintain control. 

BP #12: Insufficient control system stability margins. 

CP #13: Lack of parametric uncertainty analysis for control system. 

4. ‘Fall-back’ fixed gain reversion modes were available for such situations, but had 
not been practiced and the pilot had not been briefed on their potential use in the 
event of unreliable airspeed data. 

BP #3: Abort/Safe Haven strategy (Reversion Mode) was not utilized. 

5. Data from alternate air speed indicator that used a different pitot tube was ignored. 

BP #7: Independent airspeed sensor data was available but not utilized. 
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The maiden flight of the Ariane 5 launcher on June 4, 1996 relied on identical GN&C 

hardware and software for redundancy. 

• 39 seconds into the flight the primary Inertial 
Reference Unit (SRI-1) stopped sending correct 
attitude data due to a software exception. 

• The On-Board Computer (OBC) switched to the 
backup inertial unit, but SRI-2 also failed due to 
its independently determined (but identical) 
software exception. 

• The OBC could not switch back to SRI-1 so it 
took data that was actually part of a diagnostic 
message written to the bus by SRI-2. This data 
was interpreted as flight data and used for 
thrust vector control. 

• The sudden swivelling of both solid booster 
nozzles up to the limit caused the launcher to 
tilt sharply giving rise to intense aerodynamic 
loads leading to destruction of the vehicle. 
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Root Causes of the ARIANE-5 Flight 501 Mishap vs. 

NESC GN&C Best Practices 


1. Primary Inertial Reference Unit, SRI-1, stopped sending correct attitude data due to 
a software exception. 

BP #2; Interactions between S/W and GN&C were not defined with enough 
care. 

BP #8: Heritage software for Ariane-4 was inappropriate for Ariane-5. 

BP #20: Database confusion over reference trajectories. 

BP #17: Failure to adhere to “Test as You Fly ” approach. 

2. Switchover to the backup unit was accomplished, but SRI-2 immediately failed in the 
same way as SRI-1 . 

BP # 7: Evaluate if redundancy using identical GN&C components increases 
or decreases reliability. 

3. The OBC could not switch back to SRI-1 so it accepted SRI-2 diagnostic data as 
attitude data and generated improper TVC commands. 

BP #3: Ensure that Abort/Safe Haven strategies/functions are properly 
implemented. Ariane-5 was lacking a simple and reliable “Never Give Up” 
flight control capability. 
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Observations 


• Complex space systems can produce flight articles that 
have a high sensitivity to parameter variations and 
reduced margins of stability and safety 

• The ways humans approach complex design and/or 
operational problems, and fail to solve them, is often 
because of an inability to think systemically 

• This is critically important for the GN&C subsystem which 
interacts with virtually all the other subsystems on the 
flight article 

• Lessons are being documented but not being “learned” 

• One needs to not only carefully design/test all the new 
system capabilities functions but also make sure the 
previously established capabilities are implemented 
correctly 
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• This presentation has introduced the initial set of the NESC GN&C Best 
Practices for review and comment by the Program Management 
community 

• The NESC GN&C Technical Discipline Team (TDT) is initiating a “GN&C 
Guidelines Project” to: 

- expand and build upon the work done to date 

- to more formally document and distribute a comprehensive set of Agency- 
wide GN&C System development guidelines 

• We welcome and solicit constructive feedback from the Program 
Management community as we go forward with this activity 

• Call Neil Dennehy at NASA/GSFC on 301-286-5696 (or e-mail at 
comeliusj. dennehv(a)nasa. gov) with your: 

- Comments 

- Questions 

- Experiences 

- Inputs 








The HXLV (Pegasus) was used to 
accelerate the Hyper-X Research Vehicle 
(HXRV) to the required Mach number and 
operational altitude for demonstration. 


The trajectory that was selected to 
achieve the mission was at a lower 
altitude (i.e. a higher dynamic pressure) 
than a typical Pegasus trajectory. 

Flight went as planned after B-52 drop 
until pitch-up maneuver. 

Diverging roll oscillation at 2.5-Hz frequency occurred during pitch-up. 

Roll oscillation continued to diverge until about 13 seconds into flight. 

Rudder electro-mechanical actuator stalled & ceased to respond to autopilot at 
that point causing loss of yaw control. 

Loss of yaw control caused X-43A stack sideslip to diverge rapidly to over 8°. 
Structural overload of starboard elevon occurred at 13.5 sec. 

Loss of control caused X-43A stack to deviate significantly from planned 
trajectory. 

Vehicle terminated by range control about 49 sec. after release. 
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Root Causes of the X-43A Mishap vs. 
NESC GN&C Best Practices 


1. The vehicle control system design was deficient for the trajectory flown due to 
inaccurate analytical models which overestimated design margins. 

BP #8: Over-reliance/Over-Confidence on Pegasus heritage. 

BP #17: Failure to adhere to “Test as You Fly ” approach. 

2. Failure triggered by divergent roll oscillatory motion at 2.5 Hz, caused by excessive 
control system gain. 

BP #12: Insufficient control system stability margins. 

3. Modeling inaccuracies in fin actuation system & aerodynamics. Insufficient 
variations of modeling parameters. 

BP #13: Lacking parametric uncertainty analysis for control system. 

4. Rudder actua ter sic* II occurred as consequence of divergent roll which accelerated 
loss of control. 

BP #14: Inadequate dynamic modeling. 

5. Flight failure was only reproduced when all modeling inaccuracies with uncertainty 
variations were incorporated in system-level linear analysis model & nonlinear 
simulation model. 

BP #15: Independent Truth Model should have identified un-modeled effects. 
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Top-Level Summary of the TIMED Mishap 


The Thermosphere, Ionosphere, Mesosphere, 
Energetics and Dynamics (TIMED) spacecraft was 
launched on 7 December 2001 into low Earth orbit. 
There were 4 separate GN&C anomalies early in 
the mission: 

1. Shortly after separation there was a steady 
increase in spacecraft system momentum. 

2. Coming out of eclipse and seeing the Sun for the 
first time in Sun Pointing Mode, the spacecraft 
pointed an incorrect axis toward the Sun. 

3. The Nadir Pointing Mode, which is used for 
Science observations, had an unanticipated 2.1 Hz 
oscillation. 



4. Momentum dumping occurred 10 times/day 
rather than the expected once/day. 
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1. There was a Sign Error in the Momentum Unloading Control Logic. 

BP #1 8: True end-to-end sensors-to-actuators polarity tests not conducted. 

2. Two of the Sun Sensors were not in the flight configuration during ACS polarity test. 

BP #17: “Test As You Fly” philosophy was not enforced. 

3. There was a Controls-Structures Interaction (CSI) with the Solar Array Flex Mode 
which varied from 2.0-2.6 Hz depending on array orientation. 

BP #2: Interactions between GN&C, Power, and Structures were not well 

defined. 

BP #12: Stability margins were not robust to parameter variations. 

4. The Spacecraft had a 10 A-m 2 Residual Magnetic Dipole. 

BP #2: Residual dipole requirement was not specified. 

ZP d 17: Residua! d'pdc was net measured in ground test 
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